How to Configure Wire / Tap mode in SonicOS

10/14/2021 62 People found this article helpful 484,615 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

Wire Mode is a deployment option where the SonicWall appliance can be deployed as a Bump in the Wire. It provides a least-intrusive way to deploy the appliance in a network.

Wire Mode is very well suited for deploying behind a pre-existing Stateful Packet Inspection (SPI) Firewall. Wire Mode is a simplified form of Layer 2 Bridge Mode. A Wire Mode interface does not take any IP address and it is typically configured as a bridge between a pair of interfaces. None of the packets received on a Wire Mode interface are destined to the firewall, but are only bridged to the other interface.

Wire Mode operates in one of 4 different modes

The following table summarizes the key functional differences between modes of interface configuration:

• a. These functions or services are unavailable on interfaces configured in Wire Mode, but remain available on a system-wide level
  for any interfaces configured in other compatible modes of operation.
• b. Not available in L2 Bridged Mode.
• c. Link State Propagation is a feature whereby interfaces in a Wire Mode pair will mirror the link-state triggered by transitions of
  their partners. This is essential to proper operations in redundant path networks.
• d. Disabled by design in Wire Mode to allow for failover events occurring elsewhere on the network to be supported
• e. Wire mode supports DPI-SSL in SonicOS 6.2.1.x

Note: When operating in Wire Mode, the firewall's dedicated Management interface will be used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire Mode interfaces)
must be configured for Internet connectivity. This is easily done given that SonicOS supports interfaces in mixed-modes of almost any combination.

Resolution

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

To configure an interface for Wire Mode, perform the following steps:

1. Click Manage in the top navigation menu and then Network | Interfaces. Click the Configure button for the interface you want to configure for Wire Mode.
2. In the Zone pull-down menu, select any zone type except WLAN.
3. To configure the Interface for Tap Mode, in the Mode / IP Assignment pull-down menu, select Tap Mode (1-Port Tap).
   • To configure the Interface for Wire Mode, in the Mode / IP Assignment pull-down menu, select Wire Mode (2-Port Wire).
4. In the Wire Mode Type pull-down menu, select the appropriate mode:
   • Bypass (via Internal Switch/Relay)
   • Inspect (Passive DPI of Mirrored Traffic)
   • Secure (Active DPI of Inline Traffic)
5. In the Paired Interface pull-down menu, select the interface that will connect to the upstream firewall. The paired interfaces must be of the same type (two 1 GB interfaces or two 10 GB interfaces).

   Note: Only unassigned interfaces are available in the Paired Interface pull-down menu. To make an interface unassigned, click on the Configure button for it, and in the Zone pull-down menu, select Unassigned.

6. Click OK.
   • Wire Mode can be configured on WAN, LAN, DMZ, and custom zones (except wireless zones). Wire Mode is a simplified form of Layer 2 Bridged Mode, and is configured as a pair of interfaces. In Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic.
   • In Wire Mode, administrators can enable Link State Propagation, which propagates the link status of an interface to its paired interface. If an interface goes down, its paired interface is forced down to mirror the link status of the first interface. Both interfaces in a Wire Mode pair always have the same link status.
   • In Wire Mode, administrators can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful Packet Inspection (SPI) is turned off. When Disable Stateful Inspection is not selected, new connections can be established without enforcing a 3-way TCP handshake. Disable Stateful Inspection must be selected if asymmetrical routes are deployed.

Configure for Bypass Mode

Bypass Mode allows for the quick and relatively non-interruptive introduction of the SonicWall into a network. Bypass Mode can be configured between a pair of interfaces. All traffic received is bridged to the paired interface. While Bypass Mode does not offer any inspection or firewalling, this mode allows the administrator to physically introduce the firewall into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure.

How to configure:

• Login to the SonicWall Management GUI
• Navigate to Manage | Network | Interfaces page.
• Click on Configure on any one interface.
• Choose zone as LAN.
• Set Mode / IP Assignment as Wire Mode (2-Port Wire)
• Set Wire Mode Setting to Bypass Mode (via Internal Switch / Relay)
• Choose an unassigned interface under Set Paired Interface.
• The paired Interfaces must be of the same type. For example two 1 GB interfaces or two 10 GB interfces.

In the screenshot below, X4 Interface has been configured in Bypass Mode and paired with X3 Interface.

• In the screenshot below the X0 (LAN) Interface is in the 192.168.168.0 /24 Subnet.
• The X1 (WAN) is connected to an ISP router.
• The X3 & X4 are paired Interfaces in Wire + Bypass Mode.
• With such a configuration in place, hosts behind X0 will be able to go online through the X1 Interface.
• Now assuming another ISP router with an IP of 10.61.130.57 is connected to X3, hosts connected to X4, if configured with IP addresses in the subnet 10.61.130.57, go online through the X3 router.

Inspect Mode

Inspect Mode can be configured between a pair of interfaces. Packets continue to pass through the SonicWall to the paired interface, but they are also mirrored to the DPI engine for the purposes of passive inspection, classification, logging and flow reporting. There is full application threat detection and visualization, but no application control in Inspect Mode.

How to configure:

• Login to the SonicWall Management GUI
• Navigate to Manage | Network | Interfaces page.
• Click on Configure on any one interface.
• Choose zone as LAN.
• Set Mode / IP Assignment as Wire Mode (2-Port Wire)
• Set Wire Mode Setting to Inspect Mode (Passive DPI of Mirrored Traffic)
• Choose an unassigned interface under Set Paired Interface.
• The paired interfaces must be of the same type. For example two 1 GB interfaces or two 10 GB interfces.

In the screenshot below, X2 Interface has been configured in Inspect Mode and paired with X6 Interface.

In Inspect Mode interesting traffic will be logged. For eg. if CFS or IPS Policies are defined to prevent specific traffic, the SonicWall will log them as blocked or prevented without actually doing so.

Secure Mode

Secure Mode is the progression of Inspect Mode, actively applying SonicWall Application Intelligence and Control, Intrusion Prevention Service, Gateway and Cloud-based Anti-Virus, Anti-Spyware and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridge mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode requires no logical, and only minimal physical, changes to existing network designs.

Secure Mode can be configured between a pair of interfaces. All traffic received is fully processed by the firewall. There is full application visualization and control in Secure Mode.

How to configure:

• Login to the SonicWall Management GUI
• Navigate to the Manage | Network | Interfaces page.
• Click on Configure on any one interface.
• Choose zone as LAN.
• Set Mode / IP Assignment as Wire Mode (2-Port Wire)
• Set Wire Mode Setting to Secure Mode (Active DPI of Inline Traffic)
• Choose an unassigned interface under Set Paired Interface.
• The paired interfaces must be of the same type. For example two 1 GB interfaces or two 10 GB interfces.

In the screenshot below, X2 Interface has been configured in Secure Mode and paired with X6 Interface.

Tap Mode

Tap Mode can be configured for a single interface. All traffic received is never sent out of the firewall, but the firewall performs full SPI and DPI processing. There is full application visualization, but no application control in Tap Mode. Typically, a mirror port is set up on the switch to mirror the network traffic to the firewall. Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream via a single switch port on the SonicWall eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

To configure an interface for Wire Mode, perform the following steps:

1. On the Network | Interfaces page, click the Configure button for the interface you want to configure for Wire Mode.
2. In the Zone pull-down menu, select any zone type except WLAN.
3. To configure the Interface for Tap Mode, in the Mode / IP Assignment pull-down menu, select Tap Mode (1-Port Tap).
   • To configure the Interface for Wire Mode, in the Mode / IP Assignment pull-down menu, select Wire Mode (2-Port Wire).
4. In the Wire Mode Type pull-down menu, select the appropriate mode:
   • Bypass (via Internal Switch/Relay)
   • Inspect (Passive DPI of Mirrored Traffic)
   • Secure (Active DPI of Inline Traffic)
5. In the Paired Interface pull-down menu, select the interface that will connect to the upstream firewall. The paired interfaces must be of the same type (two 1 GB interfaces or two 10 GB interfaces).

   Note: Only unassigned interfaces are available in the Paired Interface pull-down menu. To make an interface unassigned, click on the Configure button for it, and in the Zone pull-down menu, select Unassigned.

6. Click OK.
   • Wire Mode can be configured on WAN, LAN, DMZ, and custom zones (except wireless zones). Wire Mode is a simplified form of Layer 2 Bridged Mode, and is configured as a pair of interfaces. In Wire Mode, the destination zone is the Paired Interface Zone. Access rules are applied to the Wire Mode pair based on the direction of traffic between the source Zone and its Paired Interface Zone. For example, if the source Zone is WAN and the Paired Interface Zone is LAN, then WAN to LAN and LAN to WAN rules are applied, depending on the direction of the traffic.
   • In Wire Mode, administrators can enable Link State Propagation, which propagates the link status of an interface to its paired interface. If an interface goes down, its paired interface is forced down to mirror the link status of the first interface. Both interfaces in a Wire Mode pair always have the same link status.
   • In Wire Mode, administrators can Disable Stateful Inspection. When Disable Stateful Inspection is selected, Stateful Packet Inspection (SPI) is turned off. When Disable Stateful Inspection is not selected, new connections can be established without enforcing a 3-way TCP handshake. Disable Stateful Inspection must be selected if asymmetrical routes are deployed.

Configure for Bypass Mode

Bypass Mode allows for the quick and relatively non-interruptive introduction of the SonicWall into a network. Bypass Mode can be configured between a pair of interfaces. All traffic received is bridged to the paired interface. While Bypass Mode does not offer any inspection or firewalling, this mode allows the administrator to physically introduce the firewall into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure.

How to configure:

• Login to the SonicWall Management GUI
• Navigate to the Network | Interfaces page.
• Click on Configure on any one interface.
• Choose zone as LAN.
• Set Mode / IP Assignment as Wire Mode (2-Port Wire)
• Set Wire Mode Setting to Bypass Mode (via Internal Switch / Relay)
• Choose an unassigned interface under Set Paired Interface.
• The paired interfaces must be of the same type. For example two 1 GB interfaces or two 10 GB interfces.

In the screenshot below, X3 interface has been configured in Bypass Mode and paired with X4 interface.

• In the screenshot below the X0 (LAN) interface is in the 192.168.168.0/24 subnet.
• The X1 (WAN) is connected to an ISP router.
• The X3 & X4 are paired interfaces in Wire + Bypass Mode.
• With such a configuration in place, hosts behind X0 will be able to go online through the X1 interface.
• Now assuming another ISP router with an IP of 1.1.1/24 is connected to X3, hosts connected to X4, if configured with IP addresses in the subnet 1.1.1.0/24, go online through the X3 router.

Inspect Mode

Inspect Mode can be configured between a pair of interfaces. Packets continue to pass through the SonicWall to the paired interface, but they are also mirrored to the DPI engine for the purposes of passive inspection, classification, logging and flow reporting. There is full application threat detection and visualization, but no application control in Inspect Mode.

How to configure:

• Login to the SonicWall Management GUI
• Navigate to the Network | Interfaces page.
• Click on Configure on any one interface.
• Choose zone as LAN.
• Set Mode / IP Assignment as Wire Mode (2-Port Wire)
• Set Wire Mode Setting to Inspect Mode (Passive DPI of Mirrored Traffic)
• Choose an unassigned interface under Set Paired Interface.
• The paired interfaces must be of the same type. For example two 1 GB interfaces or two 10 GB interfces.

In the screenshot below, X3 interface has been configured in Inspect Mode and paired with X4 interface.

In Inspect Mode interesting traffic will be logged. For eg. if CFS or IPS Policies are defined to prevent specific traffic, the SonicWall will log them as blocked or prevented without actually doing so.

Secure Mode

Secure Mode is the progression of Inspect Mode, actively applying SonicWall Application Intelligence and Control, Intrusion Prevention Service, Gateway and Cloud-based Anti-Virus, Anti-Spyware and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridge mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode requires no logical, and only minimal physical, changes to existing network designs.

Secure Mode can be configured between a pair of interfaces. All traffic received is fully processed by the firewall. There is full application visualization and control in Secure Mode.

How to configure:

• Login to the SonicWall Management GUI
• Navigate to the Network | Interfaces page.
• Click on Configure on any one interface.
• Choose zone as LAN.
• Set Mode / IP Assignment as Wire Mode (2-Port Wire)
• Set Wire Mode Setting to Secure Mode (Active DPI of Inline Traffic)
• Choose an unassigned interface under Set Paired Interface.
• The paired interfaces must be of the same type. For example two 1 GB interfaces or two 10 GB interfces.

In the screenshot below, X3 interface has been configured in Secure Mode and paired with X4 interface.

Tap Mode

Tap Mode can be configured for a single interface. All traffic received is never sent out of the firewall, but the firewall performs full SPI and DPI processing. There is full application visualization, but no application control in Tap Mode. Typically, a mirror port is set up on the switch to mirror the network traffic to the firewall. Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream via a single switch port on the SonicWall eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

Related Articles

• DC Security Logs with Advanced Auditing
• How to configure numbered VPN tunnel
• Cysurance Partner FAQ

Categories

• Firewalls > SonicWall SuperMassive 9000 Series > Networking
• Firewalls > SonicWall NSA Series > Networking
• Firewalls > TZ Series > Networking